Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- Wireless Controller
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- VIP Hairpin NAT - issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VIP Hairpin NAT - issue
Hi,
Like the title suggests, like trying to configure a Hairpin-NAT ( SSLVPN > LAN ) I got across the most annoying thing ever. I did configure some so far, but only from LAN > LAN this one I think it's a first.
This works ( SSLVPN > LAN ) for some reason if I enable WAN > LAN , but I dont want access from WAN to the VIP, only from SSLVPN.
id=20085 trace_id=13771 func=print_pkt_detail line=5869 msg="vd-VDOM:0 received a packet(proto=6, 192.168.220.100:64947->PUB-IP:3050) tun_id=0.0.0.0 from ssl.VDOM. flag [S], seq 1209702776, ack 0, win 8192"
id=20085 trace_id=13771 func=init_ip_session_common line=6048 msg="allocate a new session-ef2fd6a5, tun_id=0.0.0.0"
id=20085 trace_id=13771 func=iprope_dnat_check line=5338 msg="in-[ssl.VDOM], out-[]"
id=20085 trace_id=13771 func=iprope_dnat_tree_check line=827 msg="len=1"
id=20085 trace_id=13771 func=__iprope_check_one_dnat_policy line=5198 msg="checking gnum-100000 policy-2"
id=20085 trace_id=13771 func=get_new_addr line=1223 msg="find DNAT: IP-10.0.0.2, port-3050"
id=20085 trace_id=13771 func=__iprope_check_one_dnat_policy line=5293 msg="matched policy-2, act=accept, vip=2, flag=100, sflag=2000000"
id=20085 trace_id=13771 func=iprope_dnat_check line=5350 msg="result: skb_flags-02000000, vid-2, ret-matched, act-accept, flag-00000100"
id=20085 trace_id=13771 func=iprope_fwd_check line=784 msg="in-[ssl.VDOM], out-[VDOM-WAN], skb_flags-02000000, vid-2, app_id: 0, url_cat_id: 0"
id=20085 trace_id=13771 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=3"
id=20085 trace_id=13771 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-5, ret-no-match, act-accept"
id=20085 trace_id=13771 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-8, ret-no-match, act-accept"
id=20085 trace_id=13771 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=20085 trace_id=13771 func=__iprope_user_identity_check line=1816 msg="ret-matched"
id=20085 trace_id=13771 func=__iprope_check_one_policy line=2244 msg="policy-0 is matched, act-drop"
id=20085 trace_id=13771 func=iprope_fwd_check line=821 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=20085 trace_id=13771 func=iprope_fwd_auth_check line=840 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=20085 trace_id=13771 func=_pre_route_auth line=106 msg="pre_route_auth check fail(id=0), drop"
config firewall vip
edit "viP_10.0.0.2-3050"
set id 1
set extip PUB-IP
set mappedip "10.0.0.2"
set extintf "any"
set portforward enable
set extport 3050
set mappedport 3050
next
end
config firewall policy
edit <>
set srcintf "ssl.VDOM"
set dstintf "LAN"
set action accept
set srcaddr "SSLVPN_TUNNEL_ADDR2"
set dstaddr "viP_10.0.0.2-3050"
set schedule "always"
set service "ALL"
set logtraffic all
set groups "SSL VPN"
next
end
get router info routing-table details 10.0.0.2
Routing entry for 10.0.0.0/8
Known via "static", distance 10, metric 0, best
* 172.16.16.2, via LAN
Anyone got any ideas, cuz I ran out of any :) ?
"jack of all trades, master of none"
"jack of all trades, master of none"
Labels:
- Labels:
-
FortiGate
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you want for all SSL VPN users to use the VIP outside IP (currently WAN interface IP) to access the device with 10.0.0.2 IP, right? While those SSL VPN users can access directly to 10.0.0.2 when the VPN is up. Why do you need the VIP at the first place then.
Toshi
Created on 03-10-2025 11:06 AM Edited on 03-10-2025 11:14 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, as you probably might know some customers are just that way ... the demand is the access the public IP although it has access to the internal IP also :)
L.E. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448 as per example 1 this is also my case, but from WAN to LAN i cannot seem to narrow it down to only the private subnet, it only works with all .
"jack of all trades, master of none"
"jack of all trades, master of none"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My point is those SSL VPN users don't need to use the public IP even when they're off-site accessing over the internet since they have SSL VPN (isn't that the purpose of having SSL VPN?).
And only if someone else needs to access it over the internet WITHOUT SSL VPN, of course you have to have a policy WAN->LAN with the VIP. But you said only from SSL VPN.
The hairpin is needed when the same user needs/wants to use the same host IP regardless when he/she is outside or inside of the office. But for SSL VPN users, they just need to use 10.0.0.2 in both cases.
Toshi
Labels
-
FortiGate
9,431 -
FortiClient
1,917 -
5.2
801 -
FortiManager
799 -
5.4
639 -
FortiAnalyzer
616 -
FortiSwitch
515 -
FortiAP
507 -
FortiClient EMS
474 -
6.0
416 -
5.6
362 -
FortiMail
340 -
SSL-VPN
303 -
IPsec
278 -
6.2
251 -
FortiAuthenticator v5.5
234 -
FortiWeb
226 -
FortiNAC
225 -
5.0
196 -
FortiGuard
151 -
SD-WAN
145 -
FortiAuthenticator
135 -
6.4
128 -
Firewall policy
108 -
FortiGateCloud
105 -
FortiSIEM
103 -
FortiCloud Products
102 -
FortiToken
96 -
Wireless Controller
86 -
Customer Service
82 -
FortiProxy
72 -
High Availability
68 -
4.0MR3
64 -
Fortivoice
61 -
FortiEDR
61 -
ZTNA
60 -
Routing
58 -
FortiADC
57 -
VLAN
57 -
DNS
55 -
BGP
53 -
FortiGate-VM
52 -
SAML
50 -
Authentication
50 -
RADIUS
49 -
FortiSandbox
48 -
LDAP
48 -
NAT
47 -
FortiExtender
46 -
Certificate
44 -
FortiDNS
43 -
SSO
43 -
FortiGate v5.4
35 -
VDOM
35 -
FortiLink
35 -
FortiSwitch v6.4
34 -
Application control
34 -
Interface
33 -
FortiConnect
32 -
Logging
32 -
FortiWAN
29 -
Web profile
29 -
Virtual IP
28 -
FortiGate v5.2
26 -
FortiConverter
26 -
FortiPAM
26 -
FortiPortal
23 -
SSL SSH inspection
23 -
FortiGate Cloud
21 -
Traffic shaping
21 -
Automation
21 -
Static route
21 -
FortiSwitch v6.2
20 -
SSID
20 -
SNMP
19 -
FortiMonitor
18 -
WAN optimization
18 -
OSPF
16 -
System settings
16 -
FortiDDoS
15 -
Security profile
15 -
Web application firewall profile
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
FortiCASB
14 -
API
14 -
Admin
14 -
IP address management - IPAM
14 -
IPS signature
13 -
FortiManager v5.0
12 -
Proxy policy
12 -
FortiManager v4.0
11 -
FortiRecorder
11 -
Traffic shaping policy
11 -
FortiAP profile
11 -
Web rating
11 -
Intrusion prevention
11 -
FortiBridge
10 -
Explicit proxy
10 -
Fabric connector
10 -
Port policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
FortiWeb v5.0
9 -
DNS filter
9 -
Users
9 -
Traffic shaping profile
9 -
FortiDeceptor
8 -
FortiCache
8 -
RMA Information and Announcements
8 -
trunk
8 -
Antivirus profile
8 -
Fortinet Engage Partner Program
8 -
4.0
7 -
FortiToken Cloud
6 -
Packet capture
6 -
Authentication rule and scheme
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
Application signature
5 -
DLP profile
5 -
DoS policy
5 -
Email filter profile
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
NAC policy
4 -
DLP sensor
4 -
Netflow
4 -
Protocol option
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
VoIP profile
4 -
Multicast routing
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
DLP Dictionary
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
File filter
2 -
Schedule
2 -
Zone
2 -
Vulnerability Management
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2087 | |
| 1181 | |
| 770 | |
| 451 | |
| 344 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.